Several more security issues opened

 
From: "Justin John justin@PROTECTED [Dada Mail Developers]" <dadadev@PROTECTED>
Date: September 6th 2021
Howdy everyone, how’s v11.15.0 working for everyone? 

While finishing up work on getting the GET requests found in email messages - things like confirming your subscriptions, it dawned on me that Dada Mail has no checks for other GET requests, that should be POSTs. 

Here’s a scenario: you want to log into your mailing list, so you fill out the password in the login form. Works a peach. The login form uses a POST request, as it’s sending pretty sensitive information through the pipes (your password), but there’s no check to make sure it’s not a GET request. If it is, things will still work, but there’s a good chance that your password is then stored in the web server logs, which could then be viewed by someone else. 

That’s a pretty low chance that that’ll happen, but it is a chance. 

Here’s another scenario: the subscription form currently allows POST and GET requests. I’ve been working with some clients who have had their subscription forms hit hard by multiple attempts to subscribe by bots. This attack is a whole lot easier when the form can be submitted by a GET request, instead of specifically a POST request. 

This is exasperated by a bug in the Google reCAPTCHA v2 check. One of the error statuses Google reCAPTCHA v2 can give back is “hey, you’ve already tried this Google reCAPTCHA before”. When an error code like this is sent to Dada Mail, Dada Mail thinks there’s something wrong with the reCAPTCHA service, and let’s the reCAPTCHA return a successful result, rather than a failure. That sets up a problem, where you can remove the reCAPTCHA v2 protection, by just sending the same reCAPTCHA challenge/response string again and again. 

This isn’t easy to set up to make work - but it’s not impossible, and if you set it up, you can totally override the reCAPTCHA v2 protection in a very automated way. I’ve been able to confirm that this is an actual problem in the wild (since I know how to set this all up!). 

The fix for this is simple: 



Or, you can switch to reCAPTCHA v3 (although: sigh, there’s another bug out for that): 


Here are the other issues out for the, “should only be POSTs that are accepted, not POST and GETs” main issue. Are there any others people can think of? 
I’ll push out v11/15/1 soon, 

-- 

Justin J: Lead Dadaist
url:         dadamailproject.com
email:    justin@PROTECTED
twitter:  @dadamail

Dada Mail Announcements: 



  • This mailing list is a public mailing list - anyone may join or leave, at any time.
  • This mailing list is a group discussion list (unmoderated)
  • Start a new thread, email: dadadev@dadamailproject.com

This is the developer discussion mailing list for Dada Mail.

If you are just looking for support Dada Mail, consult the message boards at:

https://forum.dadamailproject.com

Documentation for Dada Mail:

https://dadamailproject.com/d

Specifically, see the Error FAQ:

https://dadamailproject.com/d/FAQ-errors.pod.html

To post to this list, send a message to:

mailto:dadadev@dadamailproject.com

All subscribers of this list may post to the list itself.

Topics that are welcome:

  • Constructive critiques on the program (I like, "x", but, "y" needs some work - here's an idea on how to make this better...)
  • Bug/Error reports
  • Bug fixes
  • Request For Comments on any changes to the program
  • Help customizing Dada Mail for your own needs
  • Patches
  • Language Translations
  • Support Documentation/Doc editing, FAQ's, etc.
  • Discussion of any changes that you would like to be committed to the next version of Dada Mail -

Dada Mail is on Github:

https://github.com/justingit/dada-mail/

If you would like to fork, branch, send over PRs, open up issues, etc.

Privacy Policy:

This Privacy Policy is for this mailing list, and this mailing list only.

Email addresses collection through this mailing list are used explicitly to work within this email discussion list.

We only collect email addresses through our Closed-Loop Opt-In system.

We don't use your email address for any other purpose.

We won't be sharing your email address with any other entity.

Unsubscription can be done at any time. Please contact us at: justin@dadamailproject.com for any help regarding your subscription, including removal from the mailing list.

All mailing list messages sent from us will include a subscription removal link, which will allow you to remove yourself from this mailing list automatically, and permanently.

All consent to use your email address for any other purpose stated at the time of the mailing list subscription will also be revoked upon mailing list removal.